Fail2ban防止WordPress受到xmlrpc.php CC攻击

文章目录

[隐藏]

  • 分析日志
  • 安装fail2ban和iptables
  • 设置fail2ban jail.local
  • 设置fail2ban 自定义filter
  • 设置fail2ban jail.local

WordPress本身是一个非常强大的CMS(内容管理系统),功能强大。但是也正是因为其强大的特性,使其很容易被利用,造成服务器的不稳定甚至崩溃。最容易遭受攻击的就是xmlrpc.php这个文件,攻击者只要每秒发送1个post请求到此文件,不出1分钟,一台512M内存Debian7系统的VPS就会崩溃,php进程和Mysql占用内存过高而导致无法访问。在尝试了网上流传的多个防攻击手段之后,fail2ban是效果最好的一个,下面就简单记录一下过程,供大家参考。

分析日志

在服务器出现异常的时候,首先去分析Nginx日志, /var/log/nginx/access.log ,从代码中可以发现如下可以IP不断发送Post请求到xmlrpc.php,每个IP的发送频率大概在2秒钟一次,严格来说频率并不高但足以让php和mysql进程崩溃。

185.188.204.16 - - [15/Jul/2017:23:51:07 -0400] "POST /xmlrpc.php HTTP/1.0" 502 574 "-" "*****"  185.188.204.6 - - [15/Jul/2017:23:51:08 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "*****"  185.188.204.8 - - [15/Jul/2017:23:51:08 -0400] "POST /xmlrpc.php HTTP/1.0" 502 574 "-" "*****"  185.188.204.14 - - [15/Jul/2017:23:51:08 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "*****"  185.188.204.16 - - [15/Jul/2017:23:51:08 -0400] "POST /xmlrpc.php HTTP/1.0" 502 574 "-" "*****"  185.188.204.7 - - [15/Jul/2017:23:51:08 -0400] "POST /xmlrpc.php HTTP/1.0" 502 574 "-" "*****"  185.188.204.12 - - [15/Jul/2017:23:51:09 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "*****"  185.188.204.11 - - [15/Jul/2017:23:51:09 -0400] "POST /xmlrpc.php HTTP/1.0" 502 574 "-" "*****"  185.188.204.15 - - [15/Jul/2017:23:51:09 -0400] "POST /xmlrpc.php HTTP/1.0" 502 574 "-" "*****"  185.188.204.11 - - [15/Jul/2017:23:51:09 -0400] "POST /xmlrpc.php HTTP/1.0" 502 574 "-" "*****"  
安装fail2ban和iptables

安装fail2ban和iptables,这样能使用ipotables对攻击进行防御,想对于其它js和php的防御方式自动化更高,更为高效。

apt-get install fail2ban iptables  
设置fail2ban jail.local

使用jail.local设定

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local  
vi /etc/fail2ban/jail.local  
[xmlrpc]  enabled = true  filter = xmlrpc  action = iptables[name=xmlrpc, port=http, protocol=tcp]  logpath = /var/log/nginx/access.log  bantime = 43600  maxretry = 2  
设置fail2ban 自定义filter
vi /etc/fail2ban/filter.d/xmlrpc.conf  [Definition]  failregex = ^<HOST> .*POST .*xmlrpc.php.*  ignoreregex =  
设置fail2ban jail.local

设置好之后重启fail2ban服务既可生效

service fail2ban restart  

查看fail2ban日志查看防御情况

tail -f /var/log/fail2ban.log  
2017-07-15 23:51:38,265 fail2ban.jail   : INFO   Creating new jail 'ssh'  2017-07-15 23:51:38,266 fail2ban.jail   : INFO   Jail 'ssh' uses Gamin  2017-07-15 23:51:38,287 fail2ban.filter : INFO   Set maxRetry = 6  2017-07-15 23:51:38,288 fail2ban.filter : INFO   Set findtime = 600  2017-07-15 23:51:38,288 fail2ban.actions: INFO   Set banTime = 600  2017-07-15 23:51:38,320 fail2ban.jail   : INFO   Creating new jail 'xmlrpc'  2017-07-15 23:51:38,320 fail2ban.jail   : INFO   Jail 'xmlrpc' uses Gamin  2017-07-15 23:51:38,321 fail2ban.filter : INFO   Added logfile = /var/log/nginx/access.log  2017-07-15 23:51:38,322 fail2ban.filter : INFO   Set maxRetry = 2  2017-07-15 23:51:38,323 fail2ban.filter : INFO   Set findtime = 600  2017-07-15 23:51:38,323 fail2ban.actions: INFO   Set banTime = 43600  2017-07-15 23:51:38,328 fail2ban.jail   : INFO   Jail 'ssh' started  2017-07-15 23:51:38,329 fail2ban.jail   : INFO   Jail 'xmlrpc' started  # 以上日志显示自定义的xmlrpc filter已经生效  2017-07-15 23:51:45,350 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.8  2017-07-15 23:51:45,361 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.9  2017-07-15 23:51:45,368 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.6  2017-07-15 23:51:45,376 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.7  2017-07-15 23:51:45,382 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.16  2017-07-15 23:51:45,387 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.14  2017-07-15 23:51:45,392 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.15  2017-07-15 23:51:45,400 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.12  2017-07-15 23:51:45,415 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.10  2017-07-15 23:51:45,426 fail2ban.actions: WARNING [xmlrpc] Ban 185.188.204.11  # 以上日志则显示成功防御对xmlrpc进行攻击的IP等情况  

参考链接:https://rbgeek.wordpress.com/2014/09/11/block-wordpress-xmlprc-php-ddos-attacks-using-fail2ban/

WordPress插件:https://wordpress.org/plugins/wp-fail2ban/

Related posts:

  1. WordPress 启用HTTPS设置
  2. Wp Super Cache + Nginx规则
  3. Akismet:强大的反垃圾评论插件
  4. 浅谈博客的友情链接与链接
  5. WordPress移除静态资源版本号

原文出处:gubo -> https://www.gubo.org/fail2ban-protect-wordpress-from-xmlrpc-post-cc-attack/

相关推荐

发表回复

房先生
我们将24小时内回复。
2024-06-05 03:41:28
您好,有任何疑问请与我们联系!
您的工单我们已经收到,我们将会尽快跟您联系!
[加我微信]
chaoneo
注:点击复制微信号并打开微信APP,添加好友后进行聊天。
[电话联系]
13585372227
[电子邮件]
chaoneo@163.com
取消

选择聊天工具: